Xiaofei Guo

Invariance-based concurrent error detection for advanced encryption standard

Naturally occurring and maliciously injected faults reduce the reliability of Advanced Encryption Standard (AES) and may leak confidential information. We developed an invariance-based concurrent error detection (CED) scheme which is independent of the implementation of AES encryption/decryption. Additionally, we improve the security of our scheme with Randomized CED Round Insertion and adaptive checking. Experimental results show that the invariance-based CED scheme detects all single-bit, all singlebyte fault, and 99.99999997% of burst faults. The area and delay overheads of this scheme are compared with those of previously reported CED schemes on two Xilinx Virtex FPGAs. The hardware overhead is in the 13.2-27.3% range and the throughput is between 1.8-42.2Gbps depending on the AES architecture, FPGA family, and the detection latency. One can implement our scheme in many ways; designers can trade off performance, reliability, and security according to the available resources.

Recomputing with Permuted Operands: A Concurrent Error Detection Approach

Naturally occurring and maliciously injected faults reduce the reliability of cryptographic hardware and may leak confidential information. We develop a concurrent error detection technique (CED) called recomputing with permuted operands (REPO). We show that it is cost effective in advanced encryption standard (AES) and a secure hash function Grøstl. We provide experimental results and formal proofs to show that REPO detects all single-bit and single-byte faults. Experimental results show that REPO achieves close to 100% fault coverage for multiple byte faults. The hardware and throughput overheads are compared with those of previously reported CED techniques on two Xilinx Virtex FPGAs. The hardware overhead is 12.4%-27.3%, and the throughput is 1.2-23 Gbps, depending on the AES architecture, FPGA family, and detection latency. The performance overhead ranges from 10% to 100% depending on the security level. Moreover, the proposed technique can be integrated into various block cipher modes of operation. We also discuss the limitation of REPO and its potential vulnerabilities.

Security analysis of concurrent error detection against differential fault analysis

Differential fault analysis (DFA) poses a significant threat to advanced encryption standard (AES). Only a single faulty ciphertext is required to extract the secret key. Concurrent error detection (CED) is widely used to protect AES against DFA. Traditionally, these CEDs are evaluated with uniformly distributed faults, the resulting fault coverage indicates the security of CEDs against DFA. However, DFA-exploitable faults, which are a small subspace of the entire fault space, are not uniformly distributed. Therefore, fault coverage does not accurately measure the security of the CEDs against DFA. We provide a systematic study of DFA of AES and show that an attacker can inject biased faults to improve the success rate of the attacks. We propose fault entropy (FE) and fault differential entropy (FDE) to evaluate CEDs. We show that most CEDs with high fault coverage are not secure when evaluated with FE and FDE. This work challenges the traditional use of fault coverage for uniformly distributed faults as a metric for evaluating the security of CEDs against DFA.

NREPO: Normal basis Recomputing with Permuted Operands

Hardware implementations of cryptographic algorithms are vulnerable to natural and malicious faults. Concurrent Error Detection (CED) can be used to detect these faults. We present NREPO, a CED which does not require redundant computational resources in the design. Therefore, one can integrate it when computational resources are scarce or when the redundant resources are difficult to harness for CED. We integrate NREPO in a low-cost Advanced Encryption Standard (AES) implementation with 8-bit datapath. We show that NREPO has 25 and 50 times lower fault miss rate than robust code and parity, respectively. The area, throughput, and power are compared with other CEDs on 45nm ASIC. The hardware overhead of NREPO is 34.9%. The throughput and power are 271.6Mbps and 1579.3μW, respectively. One can also implement NREPO in other cryptographic algorithms.

Fault Attacks on AES and Their Countermeasures

Fault Attacks exploit malicious or accidental faults injected during the computation of a cryptographic algorithm. Combining the seminal idea by Boneh, DeMillo and Lipton with Differential Cryptanalysis, a new field of Differential Fault Attacks (DFA) has emerged. DFA has shown that several ciphers can be compromised if the faults can be suitably controlled. DFA is not restricted to old ciphers, but can be a powerful attack vector even for modern ciphers, like the Advanced Encryption Standard (AES). In this book chapter, we present an overview on the history of fault attacks and their general principle. The chapter subsequently concentrates on the AES algorithm and explains the developed fault attacks. The chapter covers the entire range of attacks finally showing that a single random byte fault can reduce the AES key to 28 values, with a time complexity of 230. Further extensions of the fault attack to multiple byte fault models and attacks targeting the AES key schedule are also presented in the chapter. These attacks emphasize the requirement of counter-measures to detect the underlying faults and accordingly suppress the invalid output. The chapter then presents a survey of existing DFA countermeasures, concluding with the efficient Concurrent Error Detection (CED) schemes which have been developed utilizing the invariance properties in AES. Such a strategy provides near 100 % fault coverage at a less overhead. The combined chapter shows that DFA against AES are practical, and can be prevented using suitable techniques.

Exploiting small leakages in masks to turn a second-order attack into a first-order attack

Masking countermeasures, used to thwart side-channel attacks, have been shown to be vulnerable to mask-extraction attacks. State-of-the-art mask-extraction attacks on the Advanced Encryption Standard (AES) algorithm target S-Box re-computation schemes, but have not been applied to scenarios where S-Boxes are precomputed offline. We propose an attack targeting precomputed S-Boxes stored in nonvolatile memory. Our attack targets AES implemented in software protected by a low entropy masking scheme and recovers the masks with 91% success rate. Recovering the secret key requires fewer power traces (in fact, by at least two orders of magnitude) compared to a classical second order attack. Moreover, we show that this attack remains viable in a noisy environment, or with a reduced number of leakage points.

Low-Cost Concurrent Error Detection for GCM and CCM

In many applications, encryption alone does not provide enough security. To enhance security, dedicated authenticated encryption (AE) mode are invented. Galios Counter Mode (GCM) and Counter with CBC-MAC mode (CCM) are the AE modes recommended by the National Institute of Standards and Technology. To support high data rates, AE modes are usually implemented in hardware. However, natural faults reduce its reliability and may undermine both its encryption and authentication capability. We present a low-cost concurrent error detection (CED) scheme for 7 AE architectures. The proposed technique explores idle cycles of the AE mode architectures. Experimental results shows that the performance overhead can be lower than 100 % for all architectures depending on the workload. FPGA implementation results show that the hardware overhead in the 0.1–23.3 % range and the power overhead is in the 0.2–23.2 % range. ASIC implementation results show that the hardware overhead in the 0.1–22.8 % range and the power overhead is in the 0.3–12.6 % range. The underlying block cipher and hash module need not have CED built in. Thus, it allows system designers to integrate block cipher and hash function intellectual property from different vendors.

Can Algorithm Diversity in Stream Cipher Implementation Thwart (Natural and) Malicious Faults

Hardware implementations of stream and other ciphers are vulnerable to natural faults. Moreover, attackers can launch fault attacks on these implementations. Concurrent error detection is used as a countermeasure against natural and malicious faults. We propose an algorithm diversity (AD) to detect natural and malicious faults in stream ciphers. We compare AD with hardware, time, and information redundancies. Hardware redundancy has 100% hardware overhead, but is not secure against fault attacks. Time redundancy has lower hardware overhead, but is vulnerable to faults that are injected in both the computation and recomputation. Information redundancy techniques, such as parity, cannot detect an even number of faulty bits. Information redundancy techniques, such as robust code, have higher fault miss rate (FMR) with higher hardware overhead. If robust code is configured to have lower FMR than AD in certain attacker model, the hardware overhead is excessively high. AD provides higher security compared to existing techniques. It enables a cost-effective tradeoff between security, performance overhead, and hardware overhead.

Simulation and analysis of negative-bias temperature instability aging on power analysis attacks

Transistor aging is an important failure mechanism in nanoscale designs and is a growing concern for the reliability of future systems. Transistor aging results in circuit performance degradation over time and the ultimate circuit failure. Among aging mechanisms, Negative-Bias Temperature Instability (NBTI) has become the leading limiting factor of circuit lifetime. While the impact of transistor aging is well understood from the device point of view, very little is known about its impact on security, and in particular on power analysis attack. This paper fills the gap by evaluating the effects on power analysis attack. Our experimental results obtained using PRESENT algorithm show that CPA attacks are not significantly affected by aging, while the successful rate of template attack changes significantly.

Exploiting Small Leakages in Masks to Turn a Second-Order Attack into a First-Order Attack and Improved Rotating Substitution Box Masking with Linear Code Cosets

Masking countermeasures, used to thwart side-channel attacks, have been shown to be vulnerable to mask-extraction attacks. State-of-the-art mask-extraction attacks on the Advanced Encryption Standard (AES) algorithm target S-Box recomputation schemes but have not been applied to scenarios where S-Boxes are precomputed offline. We propose an attack targeting precomputed S-Boxes stored in nonvolatile memory. Our attack targets AES implemented in software protected by a low entropy masking scheme and recovers the masks with 91% success rate. Recovering the secret key requires fewer power traces (in fact, by at least two orders of magnitude) compared to a classical second-order attack. Moreover, we show that this attack remains viable in a noisy environment or with a reduced number of leakage points. Eventually, we specify a method to enhance the countermeasure by selecting a suitable coset of the masks set.